The access control list for a given interface specifies IP addresses that are allowed or denied access to the S Series Node through that interface. Each entry in an access control list can be:
- A single IP address
- A range of IPv4 addresses specified as ip-address/subnet-mask (for example, 192.168.100.197/255.255.255.0) or in CIDR format (for example, 192.168.100.0/24)
- A range of IPv6 addresses specified in CIDR format (for example, 2001:0db8::/32)
The CIDR entry that matches all IPv4 addresses is 0.0.0.0/0. The CIDR entry that matches all IPv6 addresses is 0::0/0.
Each entry in the list has an access setting of Allow or Deny. An individual IP address can end up with both settings if, for example, the IP address is in an address-range entry and also is an entry by itself.
To control how the S Series Node handles IP addresses that have neither, one, or both of the Allow and Deny settings for a given interface, you use the "Allow access from IP address with both Allow and Deny settings" option for that interface. The table below describes how this option works.
Access control list entries | Allow access from IP address with both Allow and Deny settings | |
---|---|---|
Yes | No | |
Allow: none Deny: none |
All IP addresses have access. | No IP addresses have access. |
Allow: at least one entry Deny: none |
All IP addresses have access. | IP addresses with the Allow setting have access. All other IP addresses do not have access. |
Allow: none Deny: at least one entry |
IP addresses with the Deny setting do not have access. All other IP addresses have access. | No IP addresses have access. |
Allow: at least one entry Deny: at least one entry |
IP addresses with only the Deny setting do not have access. All other IP addresses have access. | IP addresses with only the Allow setting have access. All other IP addresses do not have access. |
At all times, at least one IP address must be allowed access to the HCP S Series Management Console, either explicitly or due to the list-handling option.
You cannot add the IP address from which you're currently accessing an S Series Node to the access control list for the interface you're using. Similarly, you cannot change the setting for allow-list and deny-list handling for that interface so that access would be denied from that IP address.